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IN THE UNITED STATES DESIGNATED/ELECTED OFFICE (D.O./E.O./US) 

Applicant: Louis GOUBIN et al. 

International 

Application No.: PCT/FR00/00902 
International 

Filing Date: 7 April 2000 

U.S. Serial No.: To be Assigned 
U.S. Filing Date: December 8 2000 

For: METHOD FOR MAKING SECURE ONE OR SEVERAL 

COMPUTER INSTALLATIONS USING A COMMON 
CRYPTOGRAPHIC SECRET KEY ALGORITHM, USE OF 
THE METHOD AND COMPUTER INSTALLATION 

McLean, Virginia 

PRELIMINARY AMENDMENT 



Honorable Commissioner of Patents 

and Trademarks 
Washington, D.C. 20231 

Sir: 

Please amend the subject application, filed concurrently herewith, as 
indicated below: 

IN THE TITLE: 

Delete the title in its entirety and substitute the following new title: 
--METHOD FOR MAKING SECURE ONE OR SEVERAL COMPUTER 
INSTALLATIONS USING A COMMON SECRET KEY ALGORITHM, USE OF THE 
METHOD AND A COMPUTER SYSTEM UTILIZING THE METHOD- 
IN THE SPECIFICATION: 
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T2146-906738/BC-US 3826/BC(PCT) 

After the title and before the first paragraph on page 1 , insert the following 
heading at the left-hand margin: 
- FIELD OF THE INVENTION -: 

Page 1 , line 7, insert a paragraph indentation before the sentence beginning 
"More precisely,..." and insert the following heading at the left-hand margin: 
- BACKGROUND OF THE INVENTION -: 

Page 1 , line 21, delete "We are" and substitute -The invention herein is-; 

Page 1 , line 22, before "algorithms", insert -cryptographic-; 

Page 1 , at line 26, before the paragraph beginning "Attacks,...", insert the 
following heading at the left hand margin: 
- DESCRIPTION OF RELATED ART -: 

Page 1 , line 30, before "incorporated", insert -the subject matter of which is 
hereby--; 

Page 2, line 7, delete "we will consider"; 

Page 2, line 8, after "algorithym", delete ", a description of which", and 
substitute -will be considered. A description--; 

Page 9, line 17, in the second equation, delete "to" and substitute -into-; 

Page 9, line 18, in the equation, delete "to" and substitute -into--; 

Page 12, at line 5, and before the paragraph beginning "One of the objects of 
the ..." insert the following paragraph at the left-hand margin: 
- SUMMARY OF THE INVENTION -: 

Page 15, at line 26 and before the paragraph beginning "Other characteristics 
and advantages insert the following heading at the left hand margin: 
- BRIEF DESCRIPTION OF THE DRAWINGS- : 
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Page 16, at line 14 and before the paragraph beginning "The invention...", 
insert the following heading at the left hand margin: 
- DESCRIPTION OF THE PREFERRED EMBODIMENT^ --: 
Page 20, after line 18, insert the following new paragraph: 
-While this invention has been described in conjunction with specific 
embodiments thereof, it is evident that many alternatives, modifications and 
variations will be apparent to those skilled in the art. Accordingly, the preferred 
embodiments of the invention as set forth herein, are intended to be illustrative, not 
limiting. Various changes may be made without departing from the true spirit and full 
scope of the invention as set forth herein and defined in the claims. — 
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IN THE CLAIMS : 

Please cancel claims 1 - 26 in their entirety and without prejudice and 
substitute the following new claims: 

1 -27. A method for protecting one or more computer systems using the 

2 same secret key (Ks) cryptographic algorithm, characterized in that secret data (Ds) 
stored in a secret area of the computer system or systems is utilized to perform a 

4 cryptographic calculation for each computer system and for each secret key. 

1 28. The method according to claim 27, characterized in that, for each 

2 computer system and for each secret key (Ks), the way in which said secret data 

3 (Ds) is used to perform said cryptographic calculation is public. 

1 29. The method according to claim 27, characterized in that in each of the 

2 computer systems, each secret key (Ks) used by said cryptographic calculation 

3 corresponds to a specific piece of said secret data (Ds). 



1 30. A method according to claim 27 for protecting one or more computer 

2 systems wherein the cryptographic calculation uses nonlinear transformations of km 

3 bits into kn bits described by k conversion tables in which n output bits of the 

4 transformation are read at an address that is a function of the km input bits, and for 

5 each of said nonlinear transformations, said k tables are part of the secret data (Ds). 
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31 . A method according to claim 27 for protecting one or more computer 



2 systems wherein the cryptographic calculation process uses nonlinear 



transformations of km bits into kn bits described by k conversion tables in which n 

4 output bits of the transformation are read at an address obtained by applying a 

5 secret bijective function (cp) to an m-bit value, itself obtained by applying a public 

6 function of the km input bits of the nonlinear transformation, and for each of said 

7 nonlinear transformations, said k tables are part of the secret data (Ds). 
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1 32. The method according to claim 27, comprising storing a conversion table 

2 calculation program in each computer system and activating the calculation program 

3 by a given event in order to calculate tables and store all or part of said tables in the 

4 secret data (Ds).. 

1 33. A computer system comprising storage means for storing a modified 

2 cryptographic algorithm that adheres to computational phases of astandard 

3 cryptographic algorithm, a secret encryption key contained in a secret area of the 

4 storage means for modifying the standard cryptographic algorithm, means for 

5 executing saud modified cryptographic algorithm, first secret means for replacing 

6 intermediate variables required for the computational phases of the standard 

, 7 algorithm with a plurality (k) of partial intermediate variables, second means for 

0 8 applying a nonlinear transformation table to each of said partial intermediate 

1 9 variables, and third secret means for reconstituting a final result corresponding to 
jj.0 utilization of the standard cryptographic algorithm from results obtained on the partial 
ill variables. 

* 1 34. A computer system according to claim 33, characterized in that secret 

3 2 encryption key stored in the secret area includes at least one first random variable v-i 

~ 3 constituting at least one secret partial variable, and the modified cryptographic 

j 4 algorithm determines at least one other partial variable v 2 , by applying a first secret 

5 function to the intermediate variable v and the secret partial variable or variables vl 

1 35. A computer system according to claim 34, characterized in that the 

2 modified cryptographic algorithm includes tables used for applying the nonlinear 

3 transformations to the partial variables Vi and v 2 , at least one of said tables (A), 

4 formed by random selection, and being stored in the secret data Ds, the other tables 

5 required for the calculations being stored in a nonvolatile memory, means for 

6 executing various computational rounds of the standard algorithm, each time using 

7 the tables on the partial variables, and means for calculating the result in the last 

8 round of the algorithm by combining the partial variables in accordance with a 

9 second secret function. 

5 
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1 36. A computer system according to claim 33, characterized in that the first 

2 secret means of the modified algorithm are constituted by a function f, linking the 

3 partial intermediate variables and each intermediate variable (v), such that the 

4 knowledge of one value of said intermediate variable never makes it possible to 

5 deduce all of the particular partial values v, such that there exists a (k-l)-tuple (v h 

6 Vj. 1, v i+1 , ... v k ) that satisfies the equation f(v h v h v k ) = v. 

1 37. A computer system according to claim 33, characterized in that the 

2 second means of the modified algorithm are constituted by k partial conversion 

3 tables, and among the k partial conversion tables, k-1 partial conversion tables 

4 contain secret random variables. 

1 38. A computer system according to claim 37, characterized in that the 

2 second means of the modified algorithm comprise k conversion tables, each of said 

3 conversion tables receiving an input a value obtained by applying a secret bijective 

4 function cpi to said function f(vi,..., v k ) of the partial intermediate variables in 

5 accordance with the relation tpj o f(vi, ...,v k ), j e [1 ,k], this application <pj o f(v 1( ..., v k ) 

6 being performed by direct evaluation of a resulting value, this resulting value, applied 

7 to the input of the conversion table, making it possible to read n output bits of the 

8 transformation at an address that is a function of these m input bits. 

1 39. A computer system according to claim 33, characterized in that the 

2 second means of the modified algorithm comprise means for replacing each 

3 nonlinear transformation applied to an intermediate variable of the standard 

4 cryptographic calculation process, without a separation, with a partial nonlinear 

5 transformation of km bits into kn bits applied to all of the partial intermediate 

6 variables, means for calculating (k-)n of said output bits of this transformation as a 

7 polynomial function of the km input bits, and means for reading the remaining n bits 

8 of said output bits by reading a conversion table in which the n remaining bits are 

9 read at an address that is a function of the km input bits. 

l 40. A computer system according to claim 33, characterized in that it 



6 



I 



T2146-906738/BC-US 3826/BC(PCT) 
• 2 further includes means for sequentially executing operations performed by the 

3 modified algorithm in the various parts resulting from the separation of the 

4 cryptographic calculation process into several distinct calculation process parts. 

1 41 . A computer system according to claim 33, characterized in that it includes 

2 means for executing, in interleaved fashion, operations performed in the various 

3 parts resulting from the separation of the cryptographic calculation process into 

4 several distinct calculation process parts. 

1 42. A computer system according to claim 33, characterized in that it includes 

2 means for simultaneously executing operations performed in the various parts 

3 resulting from the separation of the cryptographic calculation process into several 

4 distinct calculation process parts, in the event of multiprogramming. 

1 43. A computer system according to claim 33, characterized in that it includes 

2 means for simultaneously executing, in different processors working in parallel, the 

3 operations performed in the various parts resulting from the separation of the 

4 cryptographic calculation process into several distinct calculation process parts. 

1 44. A computer system according to claim 33, characterized in that it includes 

2 a conversion table calculation program stored in each computer system and means 

3 for activation by a given event of the calculation of the tables and for the storage of 

4 all or part of these tables in the secret data. 

1 45. A computer system according to claim 33, further including a counter 

2 having means for storing a value that is incremented with each cryptographic 

3 calculation so as to constitute a given event for the activation, by activating means, 

4 of the calculation of the tables when a given value is exceeded. - 



7 



T2147-906626-US 3822/JPL(PCT) 



IN THE ABSTRACT: 

Please delete line 7 "Fig. 1" from the Abstract 

REMARKS 

This Preliminary Amendment is filed to insert headings to conform the 
application to U.S. practice, and to correct informalities in the specification, claims 
and abstract resulting from a literal translation of the French text. 
Early action on the merits is earnestly solicited. 

Respectfully submitted, 
MILES & STOCKBRIDGE P.C. 



Date: December 8. 2000 




Edward J. Kdndracki 
Registration No. 20,604 



1751 Pinnacle Drive - Suite 500 
McLean, VA 22102-3833 
Tel.: 703/903-9000 
Fax: 703/610-8686 



TYSO01 91 26047vOIT2 1 46-9067381 1 2\04\00 
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METHOD FOR MAKING SECURE ONE ORSEVE RAL COM PUTER 
INSTAL LATION S USIN G A COMMON CRYPTOGRAP HIC SECR ET K EY 
ALGORITHM, USE OF THE METHOD AND COMPUTER INSTALLATION 



5 The present invention relates to a method for protecting one or more computer 

systems using the same secret key cryptographic algorithm, a utilization of the method and 
the computer system. More precisely, the purpose of the method is to make the way in which 
a calculation is performed dependent on secret data, which data can be different depending on 
the computer system involved or the secret key used. The objective is to enable computer 

10 systems not to be vulnerable to a certain type of physical attack known as "Differential Key 
Differential Power Analysis," abbreviated DKDPA, which seeks to obtain information on a 
secret key by studying the electric power consumption of the computer system or systems 
during several executions of the calculation performed with different secret keys, at least one 
of which is known by the attacker (for example if he has been able, for at least one of these 

15 calculations, to set the secret key himself). 

The cryptographic algorithms considered herein use a secret key to calculate a piece 
of output information from a piece of input information; this can involve an encryption, 
decryption, signature, signature verification, authentication or non-repudiation operation. 
They are constructed so that an attacker who knows the inputs and the outputs cannot in 

20 practice deduce any information on the secret key itself. 

We are therefore interested in a broader class than the one traditionally designated by 
the expression secret key algorithms, or symmetric algorithms. In particular, all of what is 
described in the present patent application also applies to so-called public key or asymmetric 
algorithms, which actually include two keys, one public, the other secret, the latter being the 

25 one sought by the attacks described below. 

Attacks of the Power Analysis type, developed by Paul Kocher and Cryptographic 
Research (see the document "Introduction to Differential Power Analysis and Related 
Attacks" by Paul Kocher, Joshua Jaffe, and Benjamin Jun, Cryptography Research, 870 
Market St., Suite 1008, San Francisco, CA 94102, a publication of the HTML document 

30 found at the URL address: 

http://www.cryptography.com/dpa/technical/index.html, 
incorporated into the present application as a reference), start with the assumption that in 
reality, the attacker can acquire information other than just the input and output data during 




the execution of the calculation, such as for example the electric power consumption of the 
microcontroller or the electromagnetic radiation emitted by the circuit. 

Differential Power Analysis, abbreviated DPA, is an attack that makes it possible to 
obtain information on the secret key contained in the computer system by performing a 
5 statistical analysis of the power consumption measurements performed on a large number of 
calculations with this same key. 

As a non-limiting example, we will consider the case of the DES (Data Encryption 
Standard) algorithm, a description of which can be found in any of the following documents: 

FIPS PUB 46-2, Data Encryption Standard, 1994; 
10 FIPS PUB 74, Guidelines for Implementing and Using the NBS Data Encryption 

Standard, 1981; 

ANSI X3.92, American National Standard, Data Encryption Algorithm, 1981; 
ISO/IEC 8731:1987, Banking- Approved Algorithms for Message Authentication - 
Part 1: Data Encryption Algorithm (DEA), 
15 or in the following book: 

Bruce, Schneier, Applied Cryptography, 2 nd Edition, John Wiley & Sons, 1996, page 

270. 

The above-mentioned documents are incorporated into the present application as 
references. 

20 The DES algorithm is implemented in 16 steps called rounds, represented in Fig. 2A. 

In each of the 16 rounds, a transformation F is performed on 32 bits (Ri), which in the first 
round constitute half (R 0 ) of the input message (E). In each of the rounds, a part (Ri) formed 
of 32 bits of the information to be encrypted is combined in the function F with a part (Kj) 
formed of 32 bits of the secret encryption key (Ks). This function F performs, in each round, 

25 eight nonlinear transformations of 6 bits into 4 bits, noted (Figs, lb, 2b) Si, S2, .. Sg, that are 
encoded, each stored in an encoding table called an S-box. These eight S-boxes are identical 
for all cards or for all computer systems. Only the encryption key changes from one card to 
another or from one computer system to another. Each S-box is a table with 64 (2 6 ) rows of 
four 1-bit columns. Quite clearly, these tables can be arranged differently in memory in order 

30 to save space. 

From the construction of the DES algorithm, we see in Fig. 2B that the 
transformations performed by the function F on the 32 bits of information constituting (Ri) 
can always fall into one of the following categories: 



X 



- a permutation of the bits of R\; followed by an expansion of Ri to 48 bits, in order to 
obtain the information R^; 

- an exclusive-OR of R{ with a variable Ki depending solely on the key or a subkey, in 
order to obtain a 48-bit result Rj"; 

5 - a nonlinear transformation of Ri" by applying a different S-box to each 6-bit portion 

constituting Rj"; 

- a permutation called P (this permutation is defined and imposed by the DES 
standard) on the 32 bits output from the set constituted by the eight S-boxes (Si through Sg). 

The result obtained by applying the furiction F is combined in an exclusive-OR either 
10 with the other 32 bits of the message, or with the 32 bits of the result supplied in step i-2, in 
order to satisfy the relation R\ = Rj_2®F(Rj_i, Ki), Fig. 2 A. 

The DPA type attack on the DES can be performed on the DES in the following way: 
1 st step: Power consumption measurements are made on the first round, for 1,000 
DES calculations. The input values of these 1,000 calculations are notated E[l], E[ 1,000]. 
15 The corresponding 1,000 power consumption curves measured during these calculations are 
notated C[l], C[ 1,000]. The average curve CM of the 1,000 consumption curves is also 
calculated. 

2 nd step: For example, let us consider the first output bit of the first S-box during the 
first round. Let b be the value of this bit. It is easy to see that b depends only on the 6 bits of 

20 the secret key. The attacker forms a hypothesis on the 6 bits in question. He calculates, from 
each of these 6 bits and the E[i], the expected theoretical values for b. This makes it possible 
to separate the 1,000 inputs E[l], E[1,000] into two categories: those that yield b=0 and 
those that yield b=l. 

3 rd step: Next the average CM' of the curves corresponding to inputs in the first 

25 category, i.e. for which b=0, is calculated. If CM and CM' have a notable difference, the 

values retained for the 6 key bits are considered to be the correct ones. If CM and CM' do not 
have any appreciable difference in the statistical sense, i.e., no difference that is substantially 
greater than the standard deviation of the noise measured, the 2 nd step is repeated with 
another choice for the 6 bits. 

30 4 th step: Steps 2 and 3 are repeated with a target bit b output from the second S-box, 

then from the third S-box, and so on through the eighth S-box. Thus, the 48 bits of the secret 
key are eventually obtained. 

5 th step: The 8 remaining bits can be found through an exhaustive search. 



This attack does not require any knowledge on the individual power consumption of 
each instruction, or on the time position of each of these instructions. It applies in the same 
way if we assume that the attacker knows some outputs of the algorithm and the 
corresponding consumption curves. It is based solely on the fundamental hypothesis 
5 according to which: 

Fundamental hypothesis: there exists an intermediate variable, appearing during the 
calculation of the algorithm, such that the knowledge of several key bits, in practice less than 
32 bits, makes it possible to decide whether or not two inputs, or respectively two outputs, 
yield the same value for this variable. 
10 All the algorithms that use S-boxes, such as DES, are potentially vulnerable to DPA, 

since the usual embodiments generally fall within the category of the hypothesis mentioned 
above. 

The attacks known as High-Order Differential Power Analysis, abbreviated HO-DPA, 
are a generalization of the DPA attack described above. They can use several different 

15 sources of information; in addition to power consumption, they can perform measurements of 
electromagnetic radiation, temperature, etc., and implement statistical operations that are 
more sophisticated than the simple notion of averaging, and intermediate variables 
(generalizing the bit b defined above) that are less elementary. Nevertheless, they are based 
on exactly the same fundamental hypothesis as DPA. 

20 One solution for eliminating the risk of DPA or HO-DPA attacks consists, for a 

cryptographic calculation process using a secret key Ks, of modifying the implementation of 
the algorithm so that the aforementioned fundamental hypotheses is no longer verified, since 
there is no longer any calculated intermediate variable that depends on the knowledge of an 
easily accessible subset of the secret key. 

25 To this end, the cryptographic calculation process is first separated in the computer 

system into several distinct calculation process parts PPCi through PPCk (Fig. 3) performed 
simultaneously, then secondly, the final value V corresponding to that obtained by the 
cryptographic calculation without a separation is reconstituted in the computer system from 
the partial intermediate results vl through vk obtained by implementing the aforementioned 

30 distinct calculation process parts PPCi through PPCk. 

This separation is performed by the modified calculation algorithm, which replaces 
each intermediate variable v occurring during the calculation and depending on the input (or 
output) data with k variables vi, V2, ...,Vk, such that vi, V2, and Vk make it possible, as 



1 k 



necessary, to reconstitute v. More precisely, this means that there exists a function f that 
makes it possible to determine v, such that v=f(vi, v 2 , . .., v k ) and such that the separation 
performed by the modified algorithm satisfies this function. It is also assumed that f 
preferably satisfies the following first condition: 
5 Condition No. 1 : Let i be a subscript (in the broad sense) between 1 and k. The 

knowledge of a value v never makes it possible, in practice, to deduce information on all of 
the values vi such that there exists a (k-l)-tuple (vi, vs_i, Vj+i, v k ) that satisfies the 
equation f(vj, v k )=v. 

The algorithm is then "translated" by replacing each intermediate variable V 
10 depending on input (or output) data with the k variables vj , v 2 , . . . , v k . 

In order to guarantee the maximum security of the modified algorithm in its new 
form, the following additional condition (Condition No, 2) is imposed on the function f: 

Condition No. 2: The function f is such that the transformations to be performed on 
vi, v 2 , . . or v k during the calculation in place of the transformations normally performed on 
15 v, can be implemented without having to recalculate v. 

Let us return to the example of the DES algorithm. A concrete implementation of the 
method described above consists of constructing the modified calculation algorithm DES M so 
that it separates each intermediate variable v occurring during the calculation and depending 
on input or output data into, for example, two variables vi and v 2 , which means that we take 
20 k=2. Let us consider the function f(vi , v 2 )= v = vi © v 2 in the above example No. 1, which 

satisfies Condition No. 1 by construction. From the construction of the DES algorithm, it is easy 
to see that the transformations it performs on v can always fall into one of the following five 
categories: 

- a permutation of the bits of v; 
25 - an expansion of the bits of v; 

- an exclusive-OR of v with another variable v' of the same type; 

- an exclusive-OR of v with a variable c that depends only on the key or on a subkey; 

- a nonlinear transformation of v by an S-box. 

The first two categories correspond to linear transformations on the bits of the 
30 variable v. For these categories, Condition No. 2 is very easy to verify, and it is sufficient to 
perform, in place of the transformation normally performed on v, the permutation or 
expansion on vi, then on v 2 , and the relation f(v J; v 2 ) = v that was true before the 
transformation remains equally true afterwards. 



Likewise, in the third case, it is sufficient to replace the calculation v" = v © v' with 
v" ; = vj © v / and v" 2 = v 2 © v' 2 . The relations/(vy, v 2 j = v and/(V 7 , v' 2 ) = v' yield /(v" 7 , v" 2 ) = 
v" and Condition No. 2 is again verified. 

In the exclusive-OR of v with a variable c that is dependent only on the key or a 
5 subkey, Condition No. 2 is also very easy to satisfy: it is sufficient to replace the calculation 
of v © c with vj © c, or v 2 © c, which fulfills Condition No. 2. 

Finally, in place of the given nonlinear transformation of the prior art v f =S(v), 
represented in Fig. 4A and embodied in the form of an S-box which, in this example, accepts 6- 
bit inputs and yields 4-bit outputs, the computer system performs the transformation (v'l, 
10 v , 2)=S'(vl, v2) in a variant of embodiment by means of two new S-boxes, each of which can be 
in the form of a table, this time from 12 bits to 4 bits. In order to guarantee the equality f(v'l), 
v'2)=v f , it is sufficient to choose: 

(v'i, V 2 ) = S f (v h v 2 ) = (A(v h v 2 ), S(vi © v 2 ) ®A(v h v 2 ) ) 
i.e. VI = A(vj, v 2 ) and v 2 = S(vj © v 2 ) © A(vj, v 2 ) 
15 where A designates a secret, random transformation of 12 bits into 4 bits. The first (new) S-box 
(S'i, Fig. 4b) corresponds to the table of the transformation (vi, v 2 ) • A(vj, v 2 ), which associates 
(vi, v 2 ) with A(vi, v 2 ), and the second (new) S-box (S' 2 ) corresponds to the table of the 
transformation (vj, v 2 ) • S(vj © v 2 ) ©A(v/, v 2 ) which associates (v ]f v 2 ) with^fv; © v 2 ) ©A(v;, 
v 2 >. The presence of the random function A makes it possible to guarantee Condition No. 1. The 
20 use of tables also makes it possible to avoid having to calculate vl® v2, thereby making it 
possible to satisfy Condition No. 2. 

The transformation or conversion tables can be stored in a ROM of the microcomputer 
card when the computer system is constituted by a microcomputer card. 

Thus, for a computational step of the nonlinear transformation type implemented by a 
25 standard cryptographic calculation process like DES, the separation, as represented in Fig. 4C, 
can be into k parts. As compared to a standard cryptographic calculation process using nonlinear 
transformations of m bits into n bits, described by conversion tables in which the n output bits of 
the transformation are read at an address that is a function of the m input bits, the modified 
cryptographic calculation algorithm DES M replaces each nonlinear transformation of m bits into 
30 n bits of the standard cryptographic calculation process applied to an intermediate m-bit variable 
playing the role of an input variable E, without a separation, with a plurality k of partial 
nonlinear transformations of km bits into n bits, each applied to a partial intermediate variable of 
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the set k of partial intermediate m-bit variables vj through v k . According to a particularly 
remarkable aspect of the method that is the subject of the invention, this partial nonlinear 
transformation is described and embodied by k partial conversion tables in which each of the n 
output bits of each table constitutes, respectively, the variable v'i, the variable v ! 2, . . the 
5 variable v \ of the transformation, and is read at an address that is a function of one of the k 
groups of km input bits. 

In the above example of DES and in relation to Fig. 4C, it is noted that k=2, n=4 and 

m=6. 

In a first variant, in order to save space in the ROM, it is entirely possible to use the 
10 same random function A for each of the eight S -boxes of the conventional description of DES, 
which makes it possible to have only nine new S-boxes to store instead of sixteen. 

A second variant, called Variant No. 2, will be described in connection with Fig. 4D. 

In order to reduce the size of the ROM required to store the S-boxes, it is also possible, 
in place of each nonlinear transformation v'=S(v) of the initial implementation expressed in the 
15 form of an S-box (which in the example of DES accepts 6-bit inputs and yields 4-bit outputs), to 
use the following method, which in this second variant performs the transformation 
(v'i,v'2)=S'(vi,V2) by means of two S-boxes (S'i; S2), each containing a table of 6 bits into 4 
bits. The initial implementation of the calculation of v'=S(v) is replaced in the modified 
algorithm by the following two successive calculations: 
20 ■ vo=<pivi®v 2 ) 

which uses a secret, bijective function of 6 bits into 6 bits, and 

■ (Vy, v> 2 ) = S'(vj, v 2 ) = ( A(v 0 ), S(<p ] (vo)) e A(v 0 ) ) 
i.e. v'l = A(vO), v'2 = S(<p ] (v 0 )) ® A(v 0 ) 

where A designates a secret, random transformation of 6 bits into 4 bits. The first (new) S- 

25 box (referenced S'i in Fig. 4D) corresponds to the table of the transformation v 0 —> A(v 0 ) 

which associates vO with A(v0), and the second (new) S-box (referenced S2 in Fig. 4D) 

corresponds to the table of the transformation v 0 — » S((p ] (v 0 )) ® A(v 0 ), which associates vO 

with S(<p J (vo)) (BA(vo). By construction, we still have the equality f(v'i, v' 2 )= v\ The 

presence of the random function A makes it possible to guarantee Condition No. 1. The use 

30 of tables makes it possible to avoid having to calculate (p ] (vo)= vj® v 2 . 

Fig. 4E represents a corresponding computational step of the nonlinear transformation 

type implemented within the framework of the standard cryptographic calculation process, 

such as DES, as modified in accordance with the method that is the subject of the invention 
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according to Variant No. 2. In addition to the separation into k parts applied to the input 
variable E for the nonlinear transformations of m bits into n bits, described by conversion 
tables in which the n output bits are read at an address that is a function of the m input bits, 
the cryptographic calculation process is modified by replacing each nonlinear transformation 
5 of m bits into n bits, applied to an intermediate m-bit variable playing the role of an input 
variable E in the standard calculation process, with a partial nonlinear transformation of km 
bits into kn bits applied to the set k of partial intermediate m-bit variables vl through vk. This 
partial nonlinear transformation is described and embodied by k conversion tables of km bits 
into n bits, each of the inputs of the conversion tables receiving a value obtained by applying 

10 a secret bijective function (pj to the function/fv;, Vk) of the partial intermediate variables in 
accordance with the relation q>j of(v ]y vj, with j g [l,k]. The aforementioned application 
(pj of(vi, v k ) is performed by direct evaluation of a resulting value which, applied to the 
input of the corresponding conversion table 1 through k, makes it possible to read n output 
bits of the transformation v'i or v*2 or . . .v'k at an address that is a function of these m input 

15 bits. 

As in the first example above, and in connection with Fig. 4E, it is noted that for 
Variant No, 2, k=2, m=6 and n=4. 

Moreover, in a simplified version, the bijective functions (pi through <fa are identical. 

In order for Condition No. 2 to be satisfied, it is necessary to choose the bijective 
20 transformation <p or bijective functions^; through (p k such that the calculation of v 0 =<p(vj® v 2 ) 
can be done without having to recalculate vj® v 2 . Two examples of choices for the function (p 
are given below: 

Example 1 : A linear bisection (p 

A secret, linear bijective function of 6 bits into 6 bits is chosen for (p. Within the 
25 framework of such a choice, all of the 6-bit values are considered as a vectorial space of 
dimension 6 in the finite body F 2 with two elements. In practice, choosing (p amounts to 
choosing a random invertible 6x6 matrix whose coefficients equal 0 or 1 . With this choice 
of 9, it is easy to see that Condition No. 2 is satisfied. In essence, to calculate (pivj®v 2 ), it is 
sufficient to calculate <p(V]) 9 then <p(v2) 9 and finally to calculate the "exclusive-OR" of the two 
30 results obtained. 
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(I 1 0 1 0 0 



110 10 1 



0 110 10 



is invertible. It corresponds to the 



For example, the matrix 



1110 10 



0 11110 



0 0 110 1 



V 



linear bijection of 6 bits into 6 bits defined by: 

• <f*(U] , U2 , Us , II4 , U5 , U^) — {Ui ® U2 ® U4 , Uj ® U2 ® U4 ® U$ ^ U2 ® U3 ® U5 , Uj ® 
U2® Us® Us ,U2® Us® U4® U5 , U3 ® U4® Ufr) 



then in order to calculate <p(vi® v 2 ), we successively calculate: 

• (p(Vj)=(Vjj ® V Jf2 ® V J}4 , Vjj ® Vy, 2 ® V ]r4 ® V J>6 , V lt2 ® Vl,3 ® V/,5 , Vjj ® Vj }2 ® 
V],S © V; j5 , V }>2 ® Vjj ® V Ii4 ® Vjj , Vjj © V 1>4 ® V ]f6 ) \ 

• <P( V2) = (V2J ® V 2t 2 © V 2f 4 , V 2 ,l ® V 2 ,2 © V 2 ,4 © V 2 ,6 ♦ V 2 , 2 © V 2 J © V 2 ,5 ■> V 2 ,l © V 2 ,2 © 
10 V2,3 © V 2f 5 , V 2j 2 © V 2 J © V 2j 4 © V 2 , 5 » V 2 j © V 2f 4 © V 2f6 ^ 

Then we calculate the "exclusive-OR" of the two results obtained. 
Example 2: a quadratic bijection cp 

A secret quadratic bijective function of 6 bits into 6 bits is chosen for <p. The term 
"quadratic" in this case means that each output value bit of the function cp is expressed by a 
15 polynomial function of degree two of the 6 input bits, which are identified with 6 elements of 
the finite body F 2 . In practice, it is possible to choose the function (p defined by the formula (p 
(x)=t(s(xf, where s is a secret linear bijective application of (F 2 ) 6 to L, t is a secret linear 
bijective application of L to (F 2 ) 6 , and L designates an algebraic extension of degree 6 of the 
finite body F2. The bjiective characteristic of this function cp results from the fact that a* a5 is 
20 a bijection on the extension L (the inverse of which is b • b38). In order to establish that 
Condition No. 2 is still satisfied, it is sufficient to note that it is possible to write: 

(p(vj®v 2 ) = yfvj, v 2 ) © yfv 7 , v 2 ) © y/fv 2 , v } ) © y/fv 2 , v 2 ) 

where the function y/(x, y)-t(s(xf- s(y)). 

For example, if we identify L with F2[X]/(X 6 +X+1), and if we take s and t of 
25 respective matrices 
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If we take v } -(v u , v lf2 , v 1}3 , vi, 4 , v Jr5 , v It6 ) and v 2 =(v 2 ,i , v 2j2 , v 2r3 , v 2 , 4 , v 2 ,s , v 2f 6), 
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relative to the base (1, X, X2, X3, X4, X5) of L over F2 and to the canonic base of (F 2 ) 6 over 
F2, we obtain the following quadratic bijection (p of 6 bits into 6 bits: 

(p(U] , U2 , U 3 , U4 , U$ , 14$)= 
5 (U2U5 ®U]U4 ®U4®U<5® U6U2 ® U4U6 ® U2 ® U5 ® U3 ® U4U3 , 

U2U5 ® U5U] ® U1U4 ® U4 ® ® U4U5 ®U2®Us® U3U1 , 
U2U5 ® U5U1 ® U6U5 ® U1U4 ® U3U5 ®Uj® U4U6 ® U6U3 ® U4U3 ® U3U1 , 
U1U4 ® U2U3 ® U^Uj ® U4U6 ®U5® U6U3 ® U4U3 , 

U5U1 ® U } U 4 ® U6 ® U3U5 ® U4U5 ®Uj® UfiU] ® U4U6 ®U3® U6U3 ® U4U2 , 

10 U4 ® u$® U3U5 ®ui® U4U6 ® U6U3). 

To calculate (p(v] ®v 2 ), we use the function y/fo y)=t(s(x) 4 - s(y)) of 12 bits into 6 
bits, which yields the 6 output bits as a function of the 12 input bits in accordance with the 
following rules: 

xtfxj ,x 2 ,x 3 ,x 4 , x 5 , *6 *yi ,yi ,y$ *y4 ,ys , ys)= 
15 (x 3 ys ®x 6 y 2 ®x 6 y 3 ®x 6 y 4 ®x 3 yi ®x 6 y } ®xjy 3 ®x } y 5 ®x 5 y 2 ®x 5 y 5 ®x 5 y } ®x 6 y 6 ® 

x 2 y 6 ®xjy 2 ®x } y 4 ®x 2 yi ®x 2 y2 ®x 4 y4 ®x 3 y3 ®x 3 ye ®x 4 y3 ®x 5 y 3 , 

x 4 ys ®x 3 yj ®x 6 yj ®x 2 y 5 ®x 5 y 2 ®x 6 y 6 ®x } y 6 ®x } y 2 ®x 2 y } ®x 2 y 2 ®x 4 yj ®x 4 y 4 ® 

x 3 y3 , 

x 6 y 2 ®x 6 y 3 ®x 6 y 4 ®x 6 ys ®x 3 yi ®x 6 y } ®x 2 ys ®x 5 y } ®x } y 6 ®x } yj ®x } y 2 ®xjy 4 ® 
20 x 2 yi ®x 2 y4 ®x 4 y2 ®x 2 ye ®x 3 y4 ®x 5 y3 , 

x 3 yi ®x 6 y 2 ®x 2 y6 ®x 5 y 3 ®x 5 y 4 ®x 5 y 6 ®x 6 y 3 ®x 2 y 3 ®x 4 y6 ®x 6 y 5 ®xjy 3 ®x 5 y 5 ® 
x 2 y 4 ®x 4 y2 ®x 4 ys ®x 3 y 5 ®x 4 y 3 ®x 6 yj ®x 4 yj , 

x 3 y } ®x 6 y 6 ®x 5 y 3 ®x 5 y 6 ®x 5 y 2 ®xjy 5 ®x } y } ®x } y 2 ®x 2 y } ® x 2 y 3 ®x 3 y 6 ® x 6 y 5 ® 
xjy 3 ®x 2 y4 ®x 3 y 3 ®x 4 ys ®x 2 ys ®x 6 yi ®x 4 yi ®x 6 y4 ®x 3 y 2 , 
25 x 6 ye ®x 4 y4 ® x 5 y 4 ®x 5 y 6 ®x 6 y 3 ®xjy 6 ®xjy] ®xjy 2 ®x 2 yi ®x 6 y 5 ®x 2 y4 ®x 4 y 2 ® 

x 4 ys ®x 3 ys ®x 6 y } ®x 6 y 4 ). 

Using these formulas, we successively calculate: 
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• yfv/, vj) ; 

• y(vj, v 2 ) ; 

• W(v2, vj) ; 

• W(V2, v 2 ). 

5 Then we calculate the "exclusive-OR" of the four results obtained. 

In a third variant, again in order to reduce the size of the ROM required to store the S- 
boxes, it is possible to simultaneously apply the ideas of the two preceding variants, Variant 
No. 1 and Variant No. 2: Variant No. 2 is used with the same secret bijection 9 (of 6 bits into 
6 bits) and the same secret random function A (of 6 bits into 6 bits) in the new 
10 implementation of each nonlinear transformation expressed in the form of an S-box. 

The disadvantage of the solution described above for warding off DPA attacks is that 
is vulnerable to a DKDPA attack. 

The utilization of the protection method described above makes it possible to render 
DPA or HO-DPA attacks ineffective. However, the new implementation of the secret key 
15 cryptographic algorithm may be vulnerable to another attack, which will hereinafter be called 
Differential Key and Differential Power Analysis, abbreviated DKDPA, even when the 
standard DPA attack fails. We will now describe the general principle of this attack. 

Let us assume that the attacker has in his possession a small number of computer 
systems, for each of which he knows the secret key of the cryptographic algorithm it uses. 
20 For each computer system, even though he already knows the secret key, he applies the DPA 
attack exactly as though he did not know the secret key. Using the principle described above, 
he forms a hypotheses on 6 bits of the key, and for each choice of these 6 bits, he obtains 64 
curves representing differences from the average consumption curves. 

For certain implementations of the algorithm, it is possible for the DPA to reveal 
25 unusual phenomena for certain choices of these 6 key bits (i.e., unusual peaks or dips for one 
of the 64 curves). Of course, this particular choice of 6 key bits does not correspond to the 
true key, but the "exclusive-OR" between these 6 bits (lets call them the K f ) and the 6 
corresponding bits of the true key (let's call them the K) is often found to be a constant C, 
which means that there is always K<©K'=C for each computer system for which the attacker 
30 knows the secret key. 
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If this is actually the case, then the attacker can easily find the bits of a real unknown 
key: he applies the standard DPA attack, then notes the particular choices K' of the 6 bits that 
yield an unusual curve, and finally deduces K from it by calculating K®K'=C, where C has 
been obtained previously. 

One of the objects of the invention is to eliminate this vulnerability of computer 
systems to DKDPA attacks. 

A more precise examination shows that the attacks of the DKDPA type described 
above are made possible by the fact that the implementation of the cryptographic calculation 
process used by the computer system or systems is always the same, no matter what the 
electronic element involved and no matter what the secret key used by the cryptographic 
process. 

The object of the method that is the subject of the present invention is to eliminate the 
risk of DKDPA attacks on data processing or computer systems using a secret key 
cryptographic process. 

The method for protecting one or more computer systems using a secret key 
cryptographic calculation process, which is the subject of the present invention, is remarkable 
in that the implementation of the secret key cryptographic calculation process is dependent on 
secret data. 

According to another characteristic, for each computer system and for each secret key, 
the way in which said secret data is used to perform said cryptographic calculation is public. 

According to another characteristic, there are at least two pieces of secret data used by 
said computer systems. 

According to another characteristic, each of the computer systems contains at least 
one specific piece of secret data. 

Consequently, another subject of the present invention is a way of performing the 
cryptographic calculation that can easily be made different from one computer system to 
another, or for the same computer system, from the utilization of one secret key to another. 

This object is achieved through the fact that in each of the computer systems, there are 
at least two pieces of secret data, corresponding to the various secret keys used by this 
computer system. 

According to another characteristic, in each of the computer systems, each secret key 
used by said cryptographic calculation corresponds to a specific piece of secret data. 

12 
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According to another characteristic, the method, which uses a cryptographic 
calculation process using nonlinear transformations of km bits into kn bits described by k 
conversion tables of km bits into n bits in which n output bits of the transformation are read at 
an address thatis a function of the km input bits, is characterized in that for each of these 
5 nonlinear transformations, said k tables are part of the secret data. 

According to another characteristic, the method for protecting one or more computer 
systems uses a cryptographic calculation process using nonlinear transformations of km bits 
into kn bits described by k conversion tables of km bits into n bits in which n output bits of 
the transformation are read at an address obtained by applying a secret bijective function to 
10 an m-bit value, itself obtained by applying a public function of the km input bits of the 
nonlinear transformation, characterized in that for each of these nonlinear transformations, 
the k tables are part of the secret data. 
™ According to another characteristic, for each of the nonlinear transformations, the 

^ secret bijective function is also part of the secret data. 

^15 According to another characteristic, the secret data is stored in the E 2 PROM memory 

J of said microcomputer card. 

U According to another characteristic, a conversion table calculation program is stored 

in each computer system and activated by a given event in order to calculate the tables and 
™ store all or part of these tables in the secret data. 

320 According to another characteristic, the given event is the exceeding of a given value 

5 by a counter. 

3 Another object of the invention is a utilization of this method. 

This object is achieved through the fact that the method is used to protect a 
cryptographic calculation process supported by the DES, Triple DES and RSA algorithms. 
25 A final object of the invention is to define one or more computer systems that resist 

DPA and DKDPA attacks. 

This object is achieved through the fact that the computer system that implements the 
protection process, comprising means for storing a modified cryptographic algorithm that 
adheres to the computational phases of the standard cryptographic algorithm and uses a secret 
30 encryption key contained in a secret area of storage means, and means for executing this 
modified cryptographic algorithm, is characterized in that the computer system comprises 
first secret means for replacing each intermediate variable required for the computational 
phases of the standard algorithm with a plurality (k) of partial intermediate variables, second 
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means for applying a nonlinear transformation table to each of these partial intermediate 
variables, and third means for reconstituting the final result corresponding to the utilization of 
the standard encryption algorithm from results obtained on the partial variables. 

According to another characteristic, the secret data of the computer system includes at 
5 least one first random variable V] constituting at least one secret partial variable, and the 

modified algorithm determines at least one other partial variable, for example v 2 , by applying 
a first secret function to the intermediate variable v and the secret partial variable or variables 

Vl. 

According to another characteristic, the modified algorithm applies the nonlinear 
10 transformations to the partial variables vi and V2 by using tables, at least one of which A, 
formed by random selection, is stored in the secret data Ds, the other tables required for the 
calculations being able to be stored in the nonvolatile memory, the various computational 
rounds of the standard algorithm are executed, each time using the tables on the partial 
variables, and in the last round, the algorithm calculates the result by combining the partial 
15 variables in accordance with a second secret function. 

According to another characteristic, the first secret means of the modified algorithm 
are constituted by a function/, linking the partial intermediate variables and each 
intermediate variable (v), such that the knowledge of one value of this intermediate variable 
never makes it possible to deduce all of the particular partial values v,- such that there exists a 
20 (k-l)-tuple (v ]9 Vi-u V/+;, ... Vk) that satisfies the equation f(vu vu Vk) - v. 

According to another characteristic, the second means of the modified algorithm are 
constituted by k partial conversion tables and among the k partial conversion tables, k-1 
partial conversion tables contain secret random variables. 

According to another characteristic, the second means of the modified algorithm 
25 comprise k conversion tables, each of these conversion tables receiving as input a value 

obtained by applying a secret bijective function (pi to said function f(vi, v k ) of the partial 
intermediate variables in accordance with the relation (pj o f(vj, ...,v k ), j e [l»k], this 
* application <pj o f(vi,. . v k ) being performed by direct evaluation of a resulting value, this 
resulting value, applied to the input of the conversion table, making it possible to read n 
30 output bits of the transformation at an address that is a function of these m input bits. 

According to another characteristic, the second means of the modified algorithm 
replace each nonlinear transformation applied to an intermediate variable of the standard 
cryptographic calculation process, without a separation, with a partial nonlinear 
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transformation of km bits into kn bits applied to all of the partial intermediate variables, (k- 
1 )n of said output bits of this transformation being calculated as a polynomial function of the 
km input bits, and the n remaining bits of said output bits being obtained by reading a 
conversion table in which the n remaining bits are read at an address that is a function of the 
5 km input bits. 

According to another characteristic, the operations performed by the modified 
algorithm in the various parts resulting from the separation of the cryptographic calculation 
process into several distinct calculation process parts are executed sequentially. 

According to another characteristic, the operations performed in the various parts 
10 resulting from the separation of the cryptographic calculation process into several distinct 
calculation process parts are executed in interleaved fashion. 

According to another characteristic, the operations performed in the various parts 
resulting from the separation of the cryptographic calculation process into several distinct 
calculation process parts are executed simultaneously in the event of multiprogramming. 
15 According to another characteristic, the operations performed in the various parts 

resulting from the separation of the cryptographic calculation process into several distinct 
calculation process parts are executed simultaneously in various processors working in 
parallel. 

According to another characteristic, the computer system includes a conversion table 
20 calculation program stored in each computer system and means for the activation by a given 
event of the calculation of the tables and for the storage of all or part of these tables in the 
secret data. 

According to another characteristic, a counter stores a value that is incremented with 
each cryptographic calculation so as to constitute the given event for activating the 
25 calculation of the tables when a given value is exceeded. 

Other characteristics and advantages of the present invention will be more clearly 
understood with the reading of the description given in reference to the drawings below, in 
which: 

Fig. 1 represents a computer system in which the modified encryption algorithm is 
30 used according to the method of the invention; 

Figs. 2 A and 2B schematically represent the DES ("Data Encryption Standard") 
enciphering/deciphering process of the prior art; 
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Fig. 3 represents a general flow chart illustrating a partitioning method according to a 
prior invention; 

Fig. 4A represents, by way of illustration, an implementation of the method of the 
prior art in a standard DES encryption algorithm; 

Fig. 4B represents a flow chart of a particular implementation of a modified 
cryptographic calculation process such as DESm according to a prior invention; 

Fig. 4C represents a variant of implementation of a method as illustrated in Fig. 3; 

Fig. 4D represents a variant of implementation of a method as illustrated in Fig. 4b; 

Fig. 4E represents another particular implementation of a method of a prior invention, 
based on a secret bijective transformation, applied to a nonlinear transformation used in a 
modified cryptographic calculation process such as DES M ; 

Fig. 4F represents a computer system in which the standard encryption algorithm of 
the prior art is used. 

The invention will be described below in connection with Fig. 1 and in comparison 
with the embodiment of the prior art represented in Fig. 4F. 

A computer system can be constituted by a computer security module installed in a 
larger device, such as for example a server or a terminal. This computer system can be 
constituted by one or more integrated circuits incorporated into the larger device or even by a 
chip card, generally called a "smart card" when it includes a microprocessor or 
microcontroller connected to the larger device by a connector with or without contact. A 
standard encryption algorithm, such as for example DES, can be installed in the nonvolatile 
memory, for example a ROM (7), of the computer system (1). The microprocessor (2) of this 
computer system (1) executes this algorithm by reading, through the bus (4) that links it to 
the various memories, the instructions contained in the ROM (7) in order to perform the steps 
of the encryption method described in connection with Figs. 2 A and 2B by combining the 
secret encryption key (Ks) contained in a secret area (60) of a nonvolatile memory of the 
computer system, for example a programmable memory (6) of the E 2 PROM type, with the 
information E to be encrypted which is, for example, temporarily stored in a volatile memory 
(5), for example a RAM. The microprocessor, associated in a single integrated circuit with its 
RAM, ROM and E PROM memories, constitutes what is called a microcontroller or 
microcomputer. The microprocessor dialogues with the larger device through an input/output 
circuit (3) and no access to the declared secret area (60) of the nonvolatile memory is 
permitted through any circuit other than the microprocessor (2). It alone can read the key (Ks) 
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and use it in connection with the standard encryption method described with the aid of Figs. 
2 A and 2B to produce the encrypted message Mc=DES(E,Ks). 

The invention consists of modifying the algorithm used for the encryption in order to 
construct a modified algorithm (DESm) that adheres to the same phases as the calculation 
5 process of the standard algorithm (DES). Thus, in the case of DES, the modified algorithm 
performs a separation of the cryptographic calculation process of the standard DES into 
several distinct calculation process parts executed in parallel and using partial intermediate 
results (called partial variables) distinct from those of the standard cryptographic calculation, 
and this separation is performed by using secret data (Ds) contained in the secret area (60) of 

10 the memory (6) of the computer system (1). This modified algorithm produces a result Mc by 
reconstituting the final value from the partial intermediate results, such that 
Mc=DES M (E,Ks,Ds)=DES(E,Ks), equal to the result that would have been obtained by the 
standard algorithm. It will be noted that the computer systems thus obtained are entirely 
compatible with those having a standard encryption (hereinafter called standard systems) and 

15 can therefore be used in place of standard systems in applications or places where the 

standard systems would risk being exposed to an attack, without any need to change those 
that are in secure locations. 

This modified algorithm includes secret means for replacing each intermediate 
variable of the standard algorithm with several partial intermediate variables, and means for 

20 applying a nonlinear transformation table to each of these partial intermediate variables, and 
secret means for reconstituting the final result corresponding to the utilization of the standard 
encryption algorithm from the results obtained on the partial variables. Thus, since a hacker 
no longer knows the relation between the partial variables and the final result, he is no longer 
capable of discovering the secret encryption key (Ks) through a DPA attack. 

25 For example, in the case of the protection method of the DES algorithm described 

above, the implementation of the modified cryptographic calculation process is made 
dependent on the data of the k conversion tables used to calculate each nonlinear 
transformation of km bits into kn bits. These k tables constitute the secret data (Ds). 
Moreover, in the case of variants 2 and 3, the implementation of the cryptographic calculation 

30 process is made dependent on the data of the secret bijective applications (pi, q>2, (p& 
which are also part of the secret data. 
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Thus, the modified algorithm uses the secret bijective function contained in the secret 
data (Ds) in the computational phases where this is necessary, and uses the conversion tables, 
also contained in the secret data, in other the computational phases. 

In the case of the example of the DES algorithm described above, the way in which 

5 this secret data is used is public. 

It is quite clear that the invention has been illustrated in the case of the encryption 
algorithm called DES, but the same principle and the same method can be used with any 
other known encryption method, such as triple DES or RS A. 

In order to make attacks of the DKDPA type ineffective on the computer system or 

10 systems, it is also necessary to choose a piece of secret data (Ds) that is not always the same 
from one computer system to another or from the utilization of one secret key to another. For 
this reason, it is preferable to place it in a programmable memory in order to be able to 
change it easily from one computer system to another. In the above example of DES, it is 
clear that it is easy to choose a new value for the secret data from the k conversion tables 

15 used to calculate each nonlinear transformation of km bits into kn bits; it is possible, for 
example, to randomly choose (k-1) tables, then deduce the k th table through a simple 
calculation. Likewise, in the case of variants 2 and 3, it is possible to choose (k-1) tables 
randomly, and the secret bijective applications (p Jf (p 2 , ^equally randomly, then deduce 
the k th table from them, again through a simple calculation. 

20 In the case where the computer systems are one or more microcomputer cards, the 

secret data (Ds) on which the implementation of the secret key cryptographic process 
depends can be stored in the E 2 PROM memory (6). This makes it possible to change it from 
one card to another in the process of customizing the card, during which one or more secret 
keys are generally entered in the E 2 PROM of said card. It is also possible to change this 

25 secret data written in the E 2 PROM memory when it is necessary to change one or more of the 
secret keys contained in the card. 

In the strongest version of the invention, the secret data depends on both the 
microcomputer card in question and the secret key used by the cryptographic calculation 
process. For example, the secret data is chosen randomly each time a secret key is entered 

30 into a card. This actually amounts to entering a pair (secret key Ks, secret data Ds) into the 
E 2 PROM memory of the microcomputer card each time, instead of entering only the secret 
key. In a variant of embodiment of the invention, given as an illustrative but non-limiting 
example, the secret data includes at least one first random variable vi constituting at least one 
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secret partial variable, and the modified algorithm determines at least one other partial 
variable, for example V2, by applying a secret function to the intermediate variable v and the 
secret partial variable or variables vi. This secret function can be, for example, an exclusive- 
OR such as: 
5 v 2 -vi® v. 

The modified algorithm applies the nonlinear transformations to the partial variables 
vl and v2 by using tables, at least one of which A, formed by random selection, is stored in 
the secret data Ds, the other tables required for the calculations being able to be stored in the 
nonvolatile memory. The various computational rounds of the standard algorithm are 
10 executed, each time using the tables on the partial variables, and in the last round the 

algorithm calculates the result by combining the partial variables in accordance with a second 
secret function, which can be the inverse of the preceding one. 
3 All of the variants described in reference to Figs. 3 through 4F are also part of the 

j invention in that they incorporate one or more of the elements involved in the modification of 
Z\5 the algorithm into the secret data contained in programmable nonvolatile memory (6). The 
& elements involved in the modification of the algorithm are either the secret function f, or 
5 partial conversion tables, or a secret random conversion table A associated by a calculation 

with other conversion tables contained in a non-secret part of programmable (6) or non- 
lj programmable (7) memory, or a polynomial function and one or more conversion tables, or a 
S20 secret bijective function cp and a secret random transformation A, or even a secret quadratic 
f function. 

In another variant of embodiment of the invention, the program for calculating the S- 
boxes or conversion tables, normally present in customized machines, can be downloaded or 
written during a pre-customization phase into the secret area (61) of the programmable 

25 nonvolatile E 2 PROM memory (6) and activated during a customization phase by an order 
from the outside, executable only once during the customization phase. Once the order is 
executed, the calculation program either sets a lock in nonvolatile memory that denies access 
to this program unless a specific key is presented, or in another embodiment, triggers the 
automatic erasure of this secret area (61). This variant makes it possible to implement the 

30 invention even with unmodified customized machines. The calculation of the S-boxes or 

conversion tables is performed by adhering to the principles mentioned above and by using, 
as a diversifier, a piece of information specific to the card in the process of being customized, 
such as the serial number of the card that was recorded in the pre-customization phase, the 
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values obtained by this calculation being written into the secret data (60) of the secret area of 
the nonvolatile memory (6). 

In another additional variant, the card includes an additional counter (62) in 
nonvolatile memory, which is incremented by the DES M algorithm with each execution of a 

5 DES calculation by the latter. The operating system of the card is capable of comparing the 
content of this counter to a given value n with each power-up of the card and to call the 
calculation program (61) in order to calculate new S-boxes or conversion tables in the event 
that the value n is exceeded. The operating system of the card or the calculation program 
handles the storage of the S-boxes in the secret data in accordance with a procedure defined 

10 by the calculation program (61) or the operating system and resets the counter. In addition, in 
this variant the DES M algorithm, prior to performing a DES calculation, verifies that the 
additional counter (62) has not exceeded the given value increased by a constant (n+c), in 
which c is a defined constant. If it has been exceeded, the algorithm assumes an attempted 
fraud and resets the card to zero. 

15 Finally, it is clear that in all the embodiments described, the way in which the 

cryptographic calculation is performed depends on the modification of the DESm algorithm, 
which itself depends on the elements contained in the secret storage area. 

Any combination of the different variants presented is also part of the invention. 
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CLAIMS 



1 1 . Method for protecting one or more computer systems using the same secret key 

2 (Ks) cryptographic algorithm, characterized in that the way in which said calculation is 

3 performed depends, for each computer system and for each secret key, on secret data (Ds) 

4 stored in a secret area of the computer system or systems. 

1 2. Protection method according to claim 1, characterized in that, for each computer 

2 system and for each secret key (Ks), the way in which said secret data (Ds) is used to perform 

3 said cryptographic calculation is public. 

1 3. Protection method according to claim 1 , characterized in that there are at least 

2 two pieces of said secret data (Ds) used by said computer systems. 

1 4. Protection method according to claim 3, characterized in that each of the 

2 computer systems contains at least one specific piece of said secret data (Ds). 

1 5. Protection method according to claim 1, characterized in that in each of the 

2 computer systems, there are at least two pieces of said secret data (Ds), corresponding to the 

3 various secret keys used by this computer system. 

1 6. Protection method according to claim 5, characterized in that in each of the 

2 computer systems, each secret key (Ks) used by said cryptographic calculation corresponds to 

3 a specific piece of said secret data (Ds). 

1 7. Method according to claim 1 for protecting one or more computer systems using 

2 a cryptographic calculation process using nonlinear transformations of km bits into kn bits 

3 described by k conversion tables in which n output bits of the transformation are read at an 

4 address that is a function of the km input bits, characterized in that for each of these nonlinear 

5 transformations, said k tables are part of the secret data (Ds). 

1 8. Method according to claim 1 for protecting one or more computer systems using 

2 a cryptographic calculation process using nonlinear transformations of km bits into kn bits 
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3 described by k conversion tables in which n output bits of the transformation are read at an 

4 address obtained by applying a secret bijective function (cp) to an m-bit value, itself obtained 

5 by applying a public function of the km input bits of the nonlinear transformation, 

6 characterized in that for each of these nonlinear transformations, said k tables are part of the 

7 secret data (Ds). 

1 9. Protection method according to claim 8, characterized in that for each of the 

2 nonlinear transformations, the secret bijective function (<p) is also part of the secret data (Ds). 

1 10. Method according to claim 1 for protecting one or more microcomputer cards, 

2 characterized in that the secret data is stored in the E 2 PROM memory of said microcomputer 

3 card. 

1 11. Protection method according to claim 1, characterized in that a conversion table 

2 calculation program is stored in each computer system and activated by a given event in order 

3 to calculate the tables and store all or part of these tables in the secret data. 

1 12. Protection method according to claim 11, characterized in that the given event is 

2 the exceeding of a given value by a counter. 

1 13. Utilization of the method according to claim 1 to protect a cryptographic 

2 calculation process supported by the DES, Triple DES and RSA algorithms. 

1 14. Computer system comprising means for storing a modified cryptographic 

2 algorithm that adheres to the computational phases of the standard cryptographic algorithm 

3 and uses a secret encryption key contained in a secret area of storage means, and means for 

4 executing this modified cryptographic algorithm, characterized in that the computer system 

5 comprises first secret means for replacing each intermediate variable required for the 

6 computational phases of the standard algorithm with a plurality (k) of partial intermediate 

7 variables, second means for applying a nonlinear transformation table to each of these partial 

8 intermediate variables, and third secret means for reconstituting the final result corresponding 

9 to the utilization of the standard cryptographic algorithm from results obtained on the partial 
10 variables. 

22 



1 15. Computer system according to claim 14, characterized in that secret data stored in 

2 the secret area includes at least one first random variable vi constituting at least one secret 

3 partial variable, and the modified algorithm determines at least one other partial variable, for 

4 example v 2 , by applying a first secret function to the intermediate variable v and the secret 

5 partial variable or variables vj. 

1 16. Computer system according to claim 15, characterized in that the modified 

2 algorithm includes means for applying the nonlinear transformations to the partial variables 

3 Vi and V2 by using tables, at least one of which A, formed by random selection, is stored in 

4 the secret data Ds, the other tables required for the calculations being stored in a nonvolatile 

5 memory, means for executing the various computational rounds of the standard algorithm, 

6 each time using the tables on the partial variables, and means for calculating the result in the 

7 last round of the algorithm by combining the partial variables in accordance with a second 

8 secret function. 

1 17. Computer system according to claim 14, characterized in that the first secret 

2 means of the modified algorithm are constituted by a function/ linking the partial 

3 intermediate variables and each intermediate variable (v), such that the knowledge of one 

4 value of this intermediate variable never makes it possible to deduce all of the particular 

5 partial values v,- such that there exists a (k-1 )-tuple (vj, v/.y, v/+v, ... v k ) that satisfies the 

6 equation f(v ]f v h v k ) = v. 

1 18. Computer system according to claim 14, characterized in that the second 

2 means of the modified algorithm are constituted by k partial conversion tables, and among 

3 the Jc partial conversion tables, k-1 partial conversion tables contain secret random variables. 

1 19. Computer system according to claim 18, characterized in that the second 

2 means of the modified algorithm comprise k conversion tables, each of these conversion 

3 tables receiving as input a value obtained by applying a secret bijective function (pi to said 

4 function f(vi,. . ., v k ) of the partial intermediate variables in accordance with the relation (pj o 

5 f(vi , . . . ,v k ), j € [ 1 ,k], this application (pj o f (vi , . . . , v k ) being performed by direct evaluation 

6 of a resulting value, this resulting value, applied to the input of the conversion table, making 
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7 it possible to read n output bits of the transformation at an address that is a function of these 

8 m input bits. 

1 20. Computer system according to claim 14, characterized in that the second 

2 means of the modified algorithm comprise means for replacing each nonlinear transformation 

3 applied to an intermediate variable of the standard cryptographic calculation process, without 

4 a separation, with a partial nonlinear transformation of km bits into kn bits applied to all of 

5 the partial intermediate variables, means for calculating (k-)n of said output bits of this 

6 transformation as a polynomial function of the km input bits, and means for reading the 

7 remaining n bits of said output bits by reading a conversion table in which the n remaining 

8 bits are read at an address that is a function of the km input bits. 

1 21. Computer system according to claim 14, characterized in that it includes 

2 means for sequentially executing the operations performed by the modified algorithm in the 

3 various parts resulting from the separation of the cryptographic calculation process into 

4 several distinct calculation process parts. 

1 22. Computer system according to claim 14, characterized in that it includes means 

2 for executing, in interleaved fashion, the operations performed in the various parts resulting 

3 from the separation of the cryptographic calculation process into several distinct calculation 

4 process parts. 

1 23. Computer system according to claim 14, characterized in that it includes means 

2 for simultaneously executing the operations performed in the various parts resulting from the 

3 separation of the cryptographic calculation process into several distinct calculation process 

4 parts, in the event of multiprogramming. 

1 24. Computer system according to claim 14, characterized in that it includes means 

2 for simultaneously executing, in different processors working in parallel, the operations 

3 performed in the various parts resulting from the separation of the cryptographic calculation 

4 process into several distinct calculation process parts. 
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1 25. Computer system according to claim 14, characterized in that it includes a 

2 conversion table calculation program stored in each computer system and means for the 

3 activation by a given event of the calculation of the tables and for the storage of all or part of 

4 these tables in the secret data. 

1 26. Computer system according to claim 14, characterized in that a counter includes 

2 means for storing a value that is incremented with each cryptographic calculation so as to 

3 constitute the given event for the activation, by activating means, of the calculation of the 

4 tables when a given value is exceeded. 
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ABSTRACT 



The invention relates to a method for protecting one or more computer systems using 
the same secret key (Ks) cryptographic algorithm, characterized in that the way in which said 
calculation is performed depends, for each computer system and for each secret key, on secret 
data (Ds) stored in a secret area of the computer system or systems. 
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